---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sc
spec:
  template:
    spec:
      containers:
      - name: cloudsql-proxy
        # yamllint disable-line rule:line-length
        image: gcr.io/cloudsql-docker/gce-proxy:1.14@sha256:96689ad665bffc521fc9ac3cbcaa90f7d543a3fc6f1c84f81e4148a22ffa66e0
        command: ["/cloud_sql_proxy",
                  "-instances=pixie-prod:us-west1:pixie-cloud-prod-db-pg13=tcp:5432",
                  "-ip_address_types=PRIVATE",
                  "-credential_file=/secrets/cloudsql/db_service_account.json"]
        # [START cloudsql_security_context]
        securityContext:
          runAsUser: 2  # non-root user
          allowPrivilegeEscalation: false
        # [END cloudsql_security_context]
        volumeMounts:
        - name: pl-db-secrets
          mountPath: /secrets/cloudsql
          readOnly: true
      # [END proxy_container]
      volumes:
      - name: pl-db-secrets
        secret:
          secretName: pl-db-secrets
